In a typical networked computer system, application programs engage in network communications with other devices or computer systems in a structured manner. Many computer systems employ library routines known as “sockets” that carry out high-level communications requests generated by application programs. Each socket in turn relies on the functionality of a protocol stack in the operating system that implements lower-level network functionality. An example of a protocol stack in wide use today is the Transmission Control Protocol/Internet Protocol (TCP/IP) stack. TCP is a communication oriented, end-to-end transport mechanism, and IP is a packet routine protocol that is used to carry TCP-generated packets. An alternative protocol is the User Datagram Protocol (UDP), which provides for delivery of individual “datagrams” or packets without any session context such as appears in TCP.
Both TCP and UDP utilize the notion of a “port” to identify users of the service, typically application programs. Application programs associate their sockets with specific ports using a “bind” operation. Each bind operation informs the operating system that communications between the socket and the network are to be tagged with the designated port number. By tagging the communications of different applications with different port numbers, the protocol stack can coherently provide communications services for potentially numerous applications.
As part of operation with TCP in particular, an application performs a “listen” operation when it is ready to accept incoming TCP connection requests directed to a particular port designated as part of the listen operation. A good example of such an application program is a web server, which typically waits for remote clients to establish connections over which the client-server communications are subsequently conducted. When an application program performs a listen operation, the operating system enables a queue onto which incoming connection requests for the designated port are placed. At this point the port is said to be “open” If a listen operation for a particular port has not occurred, then the port is “closed” and any incoming connection requests for the port are discarded.
As a final step in TCP connection establishment, an application program performs an “accept” operation to accept a connection request from the now-enabled queue. When an accept operation is performed and the queue is empty, the application program is notified that there are no new connection requests. When an accept operation is performed and there is at least one connection request on the queue, the accepting computer system generates appropriate signaling back to the requesting computer system and sets up internal mechanisms for passing communications internally between the application program and the network interface. The two endpoints of the connection can now exchange packets. This connection-establishment operation is fundamental to TCP operation—any attempt to simply transmit data packets from one end to the other without having first established a connection will result in the discarding of such packets.
UDP operation is somewhat different than TCP operation. Once the socket has been bound to a port, packets may be transmitted/received by the application program to/from a far-end source/destination. An application transmits a packet by passing it to UDP with information identifying the intended recipient (typically an IP address). To receive a UDP datagram, an application may poll the port or utilize an internal notification mechanism such as an interrupt.
It is known that the network interface of a computer system presents challenges from the perspective of system security. Server-type computer systems, for example, must have some degree of openness at their network interfaces in order to function properly, i.e., to establish connections on request of clients and engage in whatever communications activity is required in satisfying a client request. Attackers often gain access via a network interface, for example by directing connection requests to various ports and, when a connection request is accepted, manipulating an application and/or the operating system remotely via the connection. There are existing security tools that an administrator can use to identify the network ports that are active on a computer system. The administrator can use this information to help identify potential points of entry for an attacker, such that appropriate counter-measures can be taken. These might include, for example, de-activating unnecessary application programs or placing a limit on the number of ports or connections that can be active at one time.